DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th November 2009
gpatrick gpatrick is offline
Shell Scout
 
Join Date: Nov 2009
Posts: 103
Thanked 0 Times in 0 Posts
Default OpenBSD chroot vs. FreeBSD jails

I don't intend to start a war but would like to know the real security differences between OpenBSD chroot and FreeBSD jails. Are jails indeed more secure than using chroot or is chroot as secure if implemented correctly?

Please no wars, I'm only looking for information to implement a few web sites now, and possibly a few dozen at a later time. They will all need to access a database and I prefer to use a reverse proxy.
Reply With Quote
  #2   (View Single Post)  
Old 25th November 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

Didn't we discuss this already extensively in http://www.daemonforums.org/showthread.php?t=3983 ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 25th November 2009
gpatrick gpatrick is offline
Shell Scout
 
Join Date: Nov 2009
Posts: 103
Thanked 0 Times in 0 Posts
Default

Coming from Solaris I think I'll just stay with jails on FreeBSD since the concept is the same. Then I don't have to try and get cgi working in chroot or how I'm going to get the reverse proxy working and other things in chroot. Though the thought of chroot with virtual hosts seems nice and then I wouldn't have so many instances of Apache. Though I could do that in a single jail. Just want the ulimate in security for the web sites.

Thank you for your help. I appreciated it.
Reply With Quote
  #4   (View Single Post)  
Old 25th November 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

I'm not sure if you're aware, but chroot(2) is not something that's only available on OpenBSD.. it is a standardized functionally that all POSIX/Unix-alikes support.

Unlike many other systems, OpenBSD makes use of this feature extensively.. most daemons additionally drop root privileges early on during initialization, reducing the blow to the rest of the system.

The ultimate security for hosting multiple sites is.. multiple servers, that's physical security.. if however you prefer to keep things centralized.. you must realize that compromises may happen eventually, having a good recovery policy in place is just good thinking, making things difficult for the said attacker is just icing on the cake.

You have already been told that OpenBSD does not support jails, this is because it's an extensive modification.. it touches practically every part of the system.. and nobody can guarantee that they are impenetrable or invulnerable to attack.

If you believe that jails are a requirement for your setup, then continue using FreeBSD.. but respect that privileged separation, chroot(2) and wise ass thinking is good enough for some people.
Reply With Quote
  #5   (View Single Post)  
Old 25th November 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,431
Thanked 214 Times in 189 Posts
Default

Not to start a war. But the consensus, among the OpenBSD cognescenti, is that virtual machines / Chroot / Jails are not adding additional security, nor platform isolation, though they do offer the appearance of it. Many people think they are getting these through virtualization, but ... the consensus is they are mistaken. You may, if you wish, call that a theory, but the Project members will call it fact, and cite chapter and verse, nastily. You can search the misc@ archives for lots of it.

The use of chroot within OpenBSD itself is for filesystem isolation after privilege separation, for Apache and BIND, primarily.

As it has filesystem virtualization, I have used chroot for development. I was not looking for security or platform isolation, just filesystem isolation.

Last edited by jggimi; 25th November 2009 at 03:31 AM.
Reply With Quote
Reply

Tags
chroot, jail, priviledge separation

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Jails for OpenBSD gpatrick OpenBSD Security 12 20th November 2009 03:44 AM
chroot jail FreeBSD "su: who are you?" Dr_Death_UAE FreeBSD Security 0 27th May 2009 07:51 AM
Chroot web-browsing Oko OpenBSD Security 1 29th December 2008 01:37 PM
Updating FreeBSD Jails after rebuilding world on host anomie Guides 0 10th September 2008 03:23 AM
scponly not working with chroot hamba FreeBSD Security 3 15th May 2008 05:18 PM


All times are GMT. The time now is 11:21 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick